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Abstract. We give an algebraic quantifier elimination algorithm for the 
first-order theory over any given finite field using Grobner basis meth- 
ods. The algorithm relics on the strong NuUstcllcnsatz and properties of 
elimination ideals over finite fields. We analyze the theoretical complex- 
ity of the algorithm and show its application in the formal analysis of a 
biological controller model. 

1 Introduction 

Wc consider the problem of quantifier elimination of first-order logic formulas in 
the theory Tg of arithmetic in any given finite field Fg. Namely, given a quantified 
formula fix; y) in the language, where a; is a vector of quantified variables and y 
a vector of free variables, we describe a procedure that outputs a quantifier-free 
formula ipiv)-: such that and if) are equivalent in Tg. 

Clearly, Tg admits quantifier elimination. A naive algorithm is to enumerate 
the exponentially many assignments to the free variables y, and for each as- 
signment a e FI^'I, evaluate the truth value of the closed formula (p(a;; a) (with 
a decision procedure). Then the quantifier-free formula equivalent to <p{x;y) is 
y aeA^V = '^)' where A = {a <E F'^' : ip{x;a) is true.}. This naive algorithm 
always requires exponential time and space, and cannot be used in practice. 
Note that a quantifier elimination procedure is more general and complex than 
a decision procedure: Quantifier elimination yields an equivalent quantifier-free 
formula while a decision procedure outputs a yes/no answer. For instance, fully 
quantified formulas over finite fields can be "bit-blasted" and encoded as Quanti- 
fied Boolean Formulas (QBF), whose truth value can, in principle, be determined 
by QBF decision procedures. However, for formulas with free variables, the use 
of decision procedures can only serve as an intermediate step in the naive al- 
gorithm mentioned above, and does not avoid the exponential enumeration of 
values for the free variables. We believe there has been no investigation into 
quantifier elimination procedures that can be practically used for this theory. 
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Such procedures are needed, for instance, in the formal verification of cipher 
programs involving finite field arithmetic |16I8| and polynomial dynamical sys- 
tems over finite fields that arise in systems biology |11I12I4| . Take the S2VD 
virus competition model as an example, which we study in detail in Section 
6: The dynamics of the system is given by a set of polynomial equations over the 
field F^. We can encode image computation and invariant analysis problems as 
quantified formulas, which are solvable using quantifier elimination. As is men- 
tioned in [llj, there exists no verification method suitable for such systems over 
general finite fields so far. 

In this paper we give an algebraic quantifier elimination algorithm for Tq. 
The algorithm relies on strong Nullstellensatz and Grobner basis methods. We 
analyze its theoretical complexity, and show its practical application. 

In Section 3, we exploit the strong Nullstellensatz over finite fields and prop- 
erties of elimination ideals, to show that Grobner basis computation gives a way 
of eliminating quantifiers in formulas of the form 3a;(/\^a,;), where the a^s are 
atomic formulas and 3x is a quantifier block. We then show, in Section 4, that the 
DNF-expansion of formulas can be avoided by using standard ideal operations to 
"flatten" the formulas. Any quantifier- free formula can be transformed into con- 
junctions of atomic formulas at the cost of introducing existentially quantified 
variables. This transformation is linear in the size of the formula, and can be seen 
as a generalization of the Tseitin transformation. Combining the techniques, we 
obtain a complete quantifier elimination algorithm. 

In Section 5, we analyze the complexity of our algorithm, which depends 
on the complexity of Grobner basis computation over finite fields. For ideals in 
Fq[x] that contain x^ — Xi for each Xi, Buchberger's Algorithm computes Grobner 
bases within exponential time and space |13| . Using this result, the worst-case 
time/space complexity of our algorithm is bounded by g'^d'^D when f contains 
no more than two alternating blocks of quantifiers, and for more alter- 

nations. Recently a polynomial-space algorithm for Grobner basis computation 
over finite fields has been proposed in [T7], but it remains theoretical so far. If the 
new algorithm can be practically used, the worst-case complexity of quantifier 
elimination is g'^d'^D for arbitrary alternations. 

Note that this seemingly high worst-case complexity, as is common for Grobner 
basis methods, does not prevent the algorithm from being useful on practical 
problems. This is crucially different from the naive algorithm, which always re- 
quires exponential cost, not just in worst cases. In Section 6, we show how the 
algorithm is successfully applied in the analysis of a controller design in the 
S2VD virus competition model which is a polynomial dynamical system 
over finite fields. The authors developed control strategies to ensure a safety 
property in the model, and used simulations to conclude that the controller is 
effective. However, using the quantifier elimination algorithm, we found bugs that 
show inconsistency between specifications of the system and its formal model. 
This shows how our algorithm can provide a practical way of extending formal 
verification techniques to models over finite fields. 

Throughout the paper, omitted proofs are provided in the Appendix. 



2 Preliminaries 



2.1 Ideals, Varieties, Nullstellensatz, and Grobner Bases 

Let k be any field and k[xi, x„] the polynomial ring over k with indeterminates 
An ideal generated by /i,...,/„i e k[xi,...,Xn] is (/i,-.-,/m) = {h : 
= Y^TLidifi^ 9i € fc[a;i, a;„]}. Let a € fc" be an arbitrary point, and / G 
k[xi, ...,a;„] be a polynomial. We say that / vanishes on a if /(a) = 0. 

Definition 2.1. For any subset J of k[xi, ...,Xn], the affine variety of J over 
k is Vn{J) = {ae k"^' -.yf e J, f{a) = 0}. 

Definition 2.2. For any subset V of k^\ the vanishing ideal of V is defined 
as I{V) = {/ e fc[xi, ...,Xn] : Va e /(a) = 0}. 

Definition 2.3. Let J he any ideal ] , the radical of J is defined 

asVJ = {f e k[xi,...,Xn] : 3m G N,/" G J}. 

When J — we say J is a radical ideal. The celebrated Hilbert Nullstellensatz 
established the correspondence between radical ideals and varieties: 

Theorem 2.1 (Strong Nullstellensatz [14j). For an arbitrary field k, let J 
be an ideal in k[xi, ...,Xn]- We have I{V°'{J)) = where is the algebraic 
closure of k and ^"(J) = {a G (fc°)" : V/ G JJ{a) = 0}. 

The method of Grobner bases was introduced by Buchberger [HI for the algo- 
rithmic solution of various fundamental problems in commutative algebra. For 
an ideal (/i, /„) in a polynomial ring, Grobner basis computation transforms 
to a canonical representation (gi, g^) = that has many 

useful properties. Detailed treatment of the theory can be found in [3]. 

Definition 2.4. Let T — {x"^ • • • a;"" : Ui G N} be the set of monomials in 
k[xi^ A monomial ordering ^ onT is a well-ordering on T satisfying 

(1 ) For anyt€T, 1 ^t 

(2) For all ti,t2, s £ T , ti ^ t2 then ti ■ s ^ t2 ■ s . 

We order the monomials appearing in any single polynomial / G k[xi, Xn] 
with respect to -<. We write LM{f) to denote the leading monomial in / (the 
maximal monomial under ^), and LT{f) to denote the leading termoi f {LM{f) 
multiplied by its coefficient). We write LM{S) = {LM{f) : f & S} where 5 is a 
set of polynomials. 

Let J be an ideal in k[xi, Xn]- Fix any monomial order on T. The ideal of 
leading monomials of J, {LM {,])), is the ideal generated by the leading mono- 
mials of all polynomials in J. Now we are ready to define: 

Definition 2.5 (Grobner Basis [3]). A Grobner basis for J is a setGB{J) = 
{ffi, ...,<?«} C J satisfying {LM{GB{J))) - (iM(J)). 



2.2 The First-order Theory over a Finite Field 



Let Fq be an arbitrary finite field of size g, wliere g is a prime power. We fix the 
structure to be Mq = {Fq, 0, 1, +, x) and the signature £q ~ (0, 1, +, x) ("=" is 
a logical predicate). For quantified formulas, we write (p{x; y) to emphasize that 
the a; is a vector of quantified variables and y is a vector of free variables. 

The standard first-order theory for each Mq consists of the usual axioms for 
fields [H] plus 3xi - ■■ 3a;g((Ai<i<j<q Xi ^ xj) A V?/(Vj y = Xi)), which fixes the 
size of the domain. We write this theory as Tq. In £q, we consider all the atomic 
formulas as polynomial equations f — 0. The realization of a formula is the set of 
assignments to its free variables that makes the formula true over Mq. Formally: 

Definition 2.6 (Realization). Let ip{xi, Xn) be a formula with free vari- 
ables X — {xi, ...,Xn). The realization ofip, written as C F^ , is inductively 
defined as: 

- b = 01 =df VHp)) C F^ (in particular, Tl = F^' ) 

- hv-i = \ m 

- l^Xo.tp{xo,x)l = {(ai,...,a„) e F^' : Boq G Fq, such that (ao,...,a„) € 

Proposition 2.1 (Fermat's Little Theorem). Let Fq be a finite field. For 
any a G Fq, we have a"^ — a — 0. Conversely, V{x'^ — x) = — a;] = Fq. 

Definition 2.7 (Quantifier Elimination). Tq admits quantifier elimination if 
for any formula ip{x; y), where the x variables are quantified and the y variables 
free, there exists a quantifier-free formula tpiy) such that lip{x;y)l = [[V-'(2/)l- 



2.3 Nullstellensatz in Finite Fields 



The strong Nullstellensatz admits a special form over finite fields. This was 
proved for prime fields in |10] and used in |4|5j . Here we give a short proof that 
the special form holds over arbitrary finite fields, as a corollary of Theorem |2.1[ 



Lemma 2.1. For any ideal J C Fq[xi, Xn], J+{x'l — xi, x'^^Xn) is radical. 

Theorem 2.2 (Strong Nullstellensatz in Finite Fields). For an arbitrary 
finite field Fq, let J C Fq[xi, ...,x„] be an ideal, then 

I{V{J)) ^ J + {x\ - XI, ...,xl - Xn). 



Proof. Apply Theorem 2.1 to J + ( ) and use Lemma 2.1 We 

have /(y ( J + {x\ — xi, — a;„))) = J + (a;f — xi, x^ — a;„). But since 
Viixl - xi, ...,xl - Xn)) = F'q\ it foUows that 

V''{J+{xl-xi,...,xl~Xn))^V''{J)nF^ = V{J). 

Thus we obtain I{V{J)) = J + {xf — xi, x-'j — Xn)- □ 



3 Quantifier Elimination Using Grobner Bases 



In this section, we show that the key step in quantifier ehmination can be re- 
ahzed by Grobner basis computation. Namely, for any formula ip of the form 
3^ Al=i fii^jU) = 0> can compute a quantifier-free formula "ipiv) such that 
|(^(a;; y)] — lip{y)l. We use the following notational conventions: 

— |x| = n is the number of quantified variables and \y\ = m the number of 
free variables. We write x'^ — x =iif {x\ — xi, — a;„} and y'^ — y =df 
{Ui ^ Uii ■■■^Um ~ Vm}, and call them field polynomials (following [in])- 

— We use a — (ai, ...,a„) S to denote the assignment for the x variables, 
and b = (bi, G F™ for the y variables, (a, b) S pn+m jg complete 
assignment for all the variables in ip. 

— When we write J C Fq[x,y] or a formula (p{x;y), we assume that all the 
x,y variables do occur in J or ip. We assume that the x variables always 
rank higher than the y variables in the lexicographic order. 

3.1 Existential Quantification and Elimination Ideals 

First, we show that eliminating the x variables is equivalent to projecting the 
variety /,)) from to F™. 

Lemma 3.1. For fi, ...Jr e Fg[x,y], we have lALi = 0] - ^((/i, /,)). 

Definition 3.1 (Projection). The l-th projection mapping is defined as: 

TTi : F^ ^ F^-\tti{{ci,...,cn)) = (q+i, cjv) 

where I < N. For any set A C F^ , we write Tri{A) = {7ri(c) : c G A} C F^^K 

Lemma 3.2. I3xp{x;y)} = 7r„(|^(a;; y)]). 

Next, we show that the projection 7r„ of the variety l^n+m((/i, ...,fr)) from 
F^+'^ to is exactly the variety Vm{{fi, fr) n Fg[y]). 

Definition 3.2 (Elimination Ideal [7|). Let J C Fq[xi, ...,Xn] be an ideal. 
The l-th elimination ideal Ji, for 1 < I < N, is the ideal of Fq[xi+i, ...,xn] 
defined by Ji = J f] Fq[xi^i, xn]. 

The following lemma shows that adding field polynomials does not change 
the realization. For fi, fr € Fq[x,y], we have: 

Lemma 3.3. lALi /. = 0] = lALi = A A(xf - = 0) A Myf ~ y, = O)]. 

Now we can prove the key equivalence between projection operations and 
elimination ideals. This requires the use of Nullstellensatz for finite fields. 

Theorem 3.1. Let J C Fq[x^y] be an ideal which contains the field polynomials 
for all the variables in J. We have 7r„(T^(J)) = V{Jn). 



Proof. We show inclusion in both directions. 

- 7r„(y(J)) C y(J„) : 

For any b G TTn{V{J)), there exists a e such that (a, 6) e ^^(J)- That is, 
(a, 6) satisfies all polynomials in J; in particular, b satisfies all polynomials 
in J that only contain the y variables (a is not assigned to variables) . Thus, 
beV{JnFg[y]) = V{Jn). 

- V{Jn) C ^„(T/(J)) : 

Let 6 be a point in such that b ^ 7Tn{V{J)). Consider the polynomial 

m 

i=l cGF,\{bi} 

fb vanishes on all the points in F^^, except b — since (y; — bi) 

is excluded in the product for all i. In particular, /& vanishes on all the 
points in V{J), because for each (a, b') G V{J), b' must be different from b, 
and fb{a,b') — fb{b') — (since there are no x variables). Therefore, fb is 
contained in the vanishing ideal of V{J), i.e., fb G I{V{J)). 
Now, Theorem |2.2| shows I{V{J)) = J + {x'^ x,y'i — y). Since J already 
contains the field polynomials, we know J + {x"^ — x,y^ — y) = J, and 
consequently I{V{J)) = J. Since fb & I{V{J)), we must have fb G J. But 
on the other hand, fb G Fq[y]- Hence fb ^ J r\ Fq[y] = J„. But since 
/b(b) ^ 0, we know b ^ F(J„). □ 



3.2 Quantifier Elimination using Elimination Ideals 



Theorem 3.1 shows that to obtain the projection of a variety over Fq, we only 
need to take the variety of the corresponding elimination ideal. In fact, this can 
be easily done using the Grobner basis of the original ideal: 

Proposition 3.1 (cf. |[7j). Let J C Fq[xi, ...,xn] be an ideal and let G be the 

Grobner basis of J with respect to the lexicographic order xi )~ ■ ■ ■ )~ xn ■ Then 
for every 1 < Z < N , GC]Fq[xi+i, xn] is a Grobner basis of the l-th elimination 
ideal Ji. That is, Ji = (G) n Fq[xi^i, ...,xi^] = {G Ci Fq[xi^i, xjy]). 

Now, putting all the lemmas together, we arrive at the following theorem: 

Theorem 3.2. Let (p{x;y) be 3x.{/\l^^ fi — 0) be a formula in Cq, with fi G 
Fq[x^ y] . Let G be the Grobner basis of (/i, fr, x'' — a;, — y) . Suppose G D 
Fq[y] = {51, •■■,5J, then we have {ip} = [Ai=i(.9i = 0)1- 

Proof. We write J = (/i, fr, x'^ — x,y'^ y) for convenience. First, by Lemma 



3.3 adding the polynomials x'^ — x and y"^ y does not change the realization: 



r r n m 

M = I3x.{f\ /, = 0)1 = I3x.{f\ /, = A - X, = 0) A f\{y', ~ = 0))} 



Next, by Lemma [3.2[ the quantification on x corresponds to projecting a variety: 

r n m 

I3x.{f\ /, = A - X, - 0) A f\{yj - = 0))1 = 7r„(F(J)). 

i—l i—1 i—1 

Using Theorem |3.1[ we know that the projection of a variety is equivalent to the 
variety of the corresponding ehmination ideal, i.e., 7r„(F(J)) = V[J C] Fq[y]). 
Now, using the property of Grobner bases in Proposition [STlj we know the elim- 
ination ideal (G) n Fq[y] is generated by G n Fq[y]: 

V{J n Fq[y]) = V{{G) n Fq[y]) = V{{G n Fq[y])) = 

Finally, by Lemma |3.1[ an ideal is equivalent to the conjunction of atomic for- 
mulas given by the generators of the ideal: V{{gi, ■■■,gs)) — lAi=i9i = 01- 

Connecting all the equations above, we have shown lipj — IAi=i.9j — 0]. 
Note that gi, ...,gs € Fq[y] (they do not contain x variables). □ 



4 Formula Flattening with Ideal Operations 



If negations on atomic formulas can be eliminated (to be shown in Lemma 4.1 ), 
Theorem [3]2] already gives a direct quantifier elimination algorithm. That is, we 
can always use duality to make the innermost quantifier block an existential one, 
and expand the quantifier-free part to DNF. Then the existential block can be 
distributed over the disjuncts and Theorem |3.2| is applied. However, this direct 
algorithm always requires exponential blow-up in expanding formulas into DNF. 

We show that the DNF-expansion can be avoided: Any quantifier-free formula 
can be transformed into an equivalent formula of the form 32. (/\^^-^ /j — 0), 
where z are new variables and fiS are polynomials. The key is that Boolean 
conjunctions and disjunctions can both be turned into additions of ideals; in the 
latter case new variables need be introduced. This transformation can be done 
in linear time and space, and is a generalization of the Tseitin transformation 
from F2 to general finite fields. 

We use the usual definition of ideal addition and multiplication. Let Ji = 
(/i, fr) and J2 = (gi, gs) be ideals, and hhe a polynomial. Then Ji + J2 = 
(/i, ■■■J,9i, ■■■,9s) and Ji • /i = (/i • h,...,fr ■ h). 

Lemma 4.1 (Elimination of Negations). Suppose ip is a quantifier free for- 
mula in Cq in NNF and contains k negative atomic formulas. Then there is a 
formula ^z.ip, where ip contains new variables z but no negative atoms, such 
that yi = l3z.^Pl 

Lemma 4.2 (Elimination of Disjunctions). Suppose ipi andip2 are two for- 
mulas in variables Xi, and Ji and J2 are ideals in Fq[xi, ...,a;„] satisfying 
IV'i] = V{Ji) and 1-021 = yiJ2)^ Then, using xq as a new variable, we have 
IVi V V2I = ViJi) U y( J2) - MVixoJi + (1 - 2:0) J2)). 



Theorem 4.1. For any quantifier-free formula (p{x) given in NNF, there ex- 
ists a formula of the form 3u,v{/\^{fi(x,u,v) — 0)) such that |(^] = Jt/;]. 
Furthermore, ip can he generated in time 0{\ip\), and also \u\ + = 0(|(/3|). 

Proof. Since f{x) is in NNF, all the negations occur in front of atomic formulas. 
We first use Lemma [4?T] to eliminate the negations. Suppose there are k negative 
atomic formulas in ip, we obtain \ip\ — |3ui, Now ip' does not contain 
negations. 

We then prove that there exists an ideal J^pi for Lp' satisfying ^^^^{V {J^i)) = 
where v are the introduced variables (which rank higher than the existing 
variables in the variable ordering, so that the projection 7r|„| truncates assign- 
ments on the V variables). 

— If p' is an atomic formula / = 0, then J^p' = (/); 

— If is of the form A 6*2 , then J^i ~ Jq^ + Je^ ; 

— If p' is of the form 9i M 62, then J^/ — Vi ■ Jg^ +{1 — Vi) ■ Jg^ , where Vi is new. 

Note that the new variables are only introduced in the disjunction case, and 
therefore the number of v variables equals the number of disjunctions. Following 
Lemma |3.1| and |4.2[ the transformation preserves the realization of the formula 
in each case. Hence, we have tTj,{V{J^')) = lp>'}. Writing J^' = (/i,...,/^), we 
know IpI — I3u.p'l = pM3t). /\[^-^ /i]. Notice that the number of rewriting 
steps is bounded by the number of logical symbols appearing in p. Hence the 
transformation is done in time linear in the size of the formula. The number of 
new variables is equal to the number of negations and disjunctions. □ 

5 Algorithm Description and Complexity Analysis 

We now describe the full algorithm using the following notations: 

— The input formula is given hy p — QiXi ■ ■ ■ QmXm4'- Each QiXi represents 
a quantifier block, where Qi is either 3 or V. Qi and Qi+i are different quan- 
tifiers. We write x — (xi, ...,a;,„). -0 is a quantifier-free formula in x and y 
given in NNF, where y are free variables. 

— We assume the innermost quantifier is existential, Qm — 3. (Otherwise we 
apply quantifier elimination on the negation of the formula.) 

5.1 Algorithm Description 

Section 3 shows how to eliminate existential quantifiers over conjunctions of 
positive atomic formulas. Section 4 shows how formulas can be put into con- 
junctions of positive atoms with new quantified variables. It follows that we can 
always eliminate the innermost existential quantifiers, and iterate the process by 
fiipping the universal quantifiers into existential ones. We first emphasize some 
special features of the algorithm: 



Algorithm 1 Quantifier Elimination for Lp — QiXi ■ ■ ■ QmXm-4' 



1: Input: (fi = QiXi ■ ■ ■ Q^Xm-ipixi, x^, v) where m is the number of quan- 
tifier alternations, QmXm is an existential block {Qm — 3), and ip is in 
negation normal form. 

2: Output: A quantifier-free equivalent formula of Lp 

3: Procedure QE(p) 

4: while m > 1 do 

5: 3u.ip' -i— Eliminate_Negations(-4>) 

6: 3v.{fi = A • • • A /r = 0) -s— Formula_Flattening(%p' ) 

7: ip ^ QiXi ■ ■ ■ QmXm3u3v.{fi = A • • • A = 0) 

8: {gi, = Gr6bner_Basis((/i, ■■■,fr,x'^ - x.u'i - u,v'^ - v)) 

9: if TO = 1 then 

10: (p^g^ = OA---Ags^O 

11: break 

12: end if 

13: ip QiXi ■ ■ ■ Qm-2Xm-2Qm-iXm-i-{f\t=i ffi = 0) where Q,n-1 = V 

14: <p ^ QiXi ■ ■ ■ Qrn-2Xm-2-{f\l^i -•3Xm-l{g^ 7^ 0)) 

15: for i = 1 to s do 

16: A*Li h^, - Q^QE{3x„,^i(g, ^ 0)) 

17: end for 

18: p ^ QiXi ■ ■ ■ Q„i-2Xm~2 Ai=l(Vj'=l hij ^ 0) 

19: TO TO — 2 

20: end while 

21: return ip 



— In each elimination step, a full quantifier block is eliminated. This is desir- 
able in practical problems, which usually contain many variables but few 
alternating quantifier blocks. For instance, many verification problems are 
expressible using two blocks of quantifiers (V3-formulas). 

— The quantifier elimination step essentially transforms an ideal to another 
ideal. This corresponds to transforming conjunctions of atomic formulas to 
conjunctions of new atomic formulas. Therefore, the quantifier elimination 
steps do not introduce new nesting of Boolean operators. 

— The algorithm always directly outputs CNF formulas. 

A formal description of the full algorithm is given in Algorithm [T] The main 
steps in the algorithm are explained below. Each loop of the algorithm contains 
three main steps. In Step 1, ip is flattened; in Step 2, the innermost existential 
quantifier block is eliminated; in Step 3, the next (universal) quantifier block is 
eliminated and the process loops back to Step 1. The algorithm terminates either 
after Step 2 or Step 3, when there are no remaining quantifiers to be eliminated. 

• Step 1: (Line 5-7) 



First, since ijj is in NNF, we use Theorem 4.1 to eliminate the negations and 



disjunctions in i/; to get {ipj = {QiXi ■ ■ ■ QmXm3u3v.{/\-^^ fi — 0)], where u 



are the variables introduced for eliminating negations (Lemma 4.1), and v are 
the variables introduced for eliminating disjunctions (Lemma 4.2 1. 

• Step 2: (Line 8-12) 

Since Q„i ~ 3, using Theorem 4.1, we can eliminate the variables Xm,u,v 
simultaneously by computing 

{ffi, ••■,ffri} GB((/i, ...Jr,x'^-Xm,u''-u,v'^~v,y''-y))nFq[xi,...,x^_i,y]. 

Now we have fipj = IQiXi ■ ■ ■ Qm-iXm-i-iAUiigt = 0))]. 

If there are no more quantifiers, the output is Ai=i(5i — 0)i which is in CNF. 

• Step 3: (Line 13-18) 

Since Qm-i — V, we distribute the block Qm-ix„i^i over the conjuncts: 

s 

M = IQlXl ■ ■ ■ Qm-2Xm-2{/\h^X,n-i^{gi =0)))] 

i=l 

Now we do elimination recursively on 3a;„i-i(^(?i = 0) for each i G {!,..., s}, 
which can be done using only Step 1 and Step 2. We obtain: 

ti 

I3x.^^i{^g, = 0)1 = I3x„,^i3u'.{g, ■ u' - 1 = 0)} ^ I /\ h,^ = 0} (1) 

i=i 

and the formula becomes (note that the extra negation is distributed) 

S ti 

M = lQlX,---Qm-2X.m-2.{/\{\J K.^Q))}. (2) 

i=l j = l 

If there are no more quantifiers left, the output formula is Ai=i(Vj'=i ^ij 0)) 
which is in CNF. Otherwise, Qm-2 ~ 3, and we return to Step 1. 

Theorem 5.1 (Correctness). Let (p{x; y) be a formula QiXi ■ ■ ■ QmXm-i' where 
Qm = 3 and ■0 is in NNF. Algorithm^ computes a quantifier-free formula ip'{y), 
such that lLp{x;y)} — |(/?'(y)] and ip' is in CNF. 



5.2 Complexity Analysis 

The worst-case complexity of Grobner basis computation on ideals in Fq [x] that 
contain xj — Xi for each variable x^ is known to be single exponential in the 
number of variables in time and space. This follows from the complexity result 
for Grobner basis computation of zero-dimensional radical ideals ^Bj (a direct 
proof can be found in [S]). 

Proposition 5.1. Let J = {fi, fr,x'' — x) C Fq[xi, ...,Xn] be an ideal. The 
time and space complexity of Buchberger's Algorithm is bounded by q^'^"'\ as- 
suming that the length of input (fi,...,fr) is dominated by q'-'^^'K 

Now we are ready to estimate the complexity of our algorithm. 



Theorem 5.2 (Complexity). Let (p be the input formula with ni quantifier 
blocks. When m < 2, the time/space complexity of Algorithm 1 is bounded by 
qO(\v\) ^ Otherwise, it is bounded by 



Proof. The complexity is dominated by Grobner basis computation, whose com- 
plexity is determined by the nmnber of variables occurring in the ideal. When 
m < 2, the main loop is executed once, and the number of newly introduced vari- 
ables is bounded by the original length of the input formula. Therefore, Grobner 
basis computations can be done in single exponential time/space. When m > 2, 
the number of newly introduced variables is bounded by the length of the formula 
obtained from the previous run of the main loop, which can itself be exponential 
in the number of the remaining variables. In that case, Grobner basis computa- 
tion can take double exponential time/space. 
• Case m < 2: 

In Step 1, the number of the introduced u and v variables equals to the 
number of negations and disjunctions that appear in the Lp. Hence the total 
number of variables is bounded by the length of ip. The flattening takes linear 



time and space, 0(|(^|), as proved in Theorem 4.1 



In Step 2, by Proposition 5.1 Grobner basis computation takes time/space 
qO(\v\)^ 

In Step 3, the variables Xm,u^ v have all been eliminated. The length of each 
Qiu' — 1 (see Formula ([I]) in Step 3) is bounded by the number of monomials 
consisting of the remaining variables, which is ©(gdJ^I+^^i I^^D) (because the 
degree on each variable is lower than q) . Following Proposition |5.1[ Grobner 
basis computation on each giu' — 1 takes time and space q'-"'^y^+^i=i 1^*1), which 
is dominated by g'-'d'^'l). Also, since the number s of conjuncts is the number of 
polynomials in the Grobner basis computed in the previous step, we know s is 
bounded by g'^d'^D. In sum. Step 3 takes g'^d'^l) time/space in worst case. 

Thus, the algorithm has worst-case time and space complexity q'-'^^^f^^ when 
m < 2. 

• Case m > 2: 

When TO > 2, the main loop is iterated for more than one round. The key 
change in the second round is that, the initial number of conjunctions and dis- 
junctions in each conjunct could both be exponential in the number of the re- 
maining variables {xi, ...,Xm-2)- That means, writing the max of as t (see 
Formula ^ in Step 3), both s and t can be of order q'~'(M\ 

In Step 1 of the second round, the number of the u variables introduced 
for eliminating the negations is s ■ t. The number of the v variables introduced 
for eliminating disjunctions is also s ■ t. Hence the flattened formula may now 
contain q^^\v\) variables. 

In Step 2 of the second round, Grobner basis computation takes time and 
space exponential in the number of variables. Therefore, Step 2 can now take 
g<j°<i''i' in time and space. 

In Step 3 of the second round, however, the number of conjuncts s does not 
become doubly exponential. This is because gi in Step 3 no longer contains the 



exponentially many introduced variables ~ they were already eliminated in the 
previous step. Thus s is reduced back to single exponential in the number of the 
remaining variables; i.e., it is bounded by q'^^\f\\ Similarly, the Grobner basis 
computation on each giu' — 1, which now contains variables a;i, Xm-i, y, takes 
time and space g'^d'^D. In all. Step 3 takes time and space g'^d^D. 

In sum, the second round of the main loop can take time/space g^'^"^" 
at the end of the loop, the size of formula is reduced to g'^dvl) after the Grobner 
basis computations, because it is at most single exponential in the number of 
the remaining variables. Therefore, the double exponential bound remains for 
future iterations of the main loop. □ 

Recently, T7\ reports a Grobner basis computation algorithm in finite fields 
using polynomial space. This algorithm is theoretical and cannot be applied 
yet. Given the analysis above, if such a polynomial-space algorithm for Grobner 
basis computation can be practically used, the intermediate expressions do not 
have the double-exponential blow-up. On the other hand, it does not lower the 
space bound of our algorithm to polynomial space, because during flattening of 
the disjunctions, the introduced terms are multiplied together. To expand the 
introduced terms, one may still use exponential space. It remains further work to 
investigate whether the algorithm can be practically used and how it compares 
with Buchberger's Algorithm. 

Proposition 5.2. // there exists a polynomial-space Grobner basis computa- 
tion algorithm over finite fields for ideals containing the field polynomials, the 
time/space complexity of our algorithm is bounded by q'-'(l¥'l)_ 

6 Example and Application 

6.1 A Walk-through Example 

Consider the following formula over F^: 

(fi : 3bVa3y3x.{{y = ax^ + bx + c) /\ {y ^ ax j) 

which has three alternating quantifier blocks and one free variable. We ask for 
a quantifier- free formula ipic) equivalent to if. 

We fix the lexicographic ordering to he x )^ y )^ a b y c. First, we compute 
the Grobner basis Go of the ideal: {y — ax"^ — bx — c,y — ax, x^ — x,y^ — y, — 
a, b^ — b,c^ — c),and obtain the Grobner basis of the elimination ideal 

Gi = Go n F3 [a, b, c] = {abc + ac^ + b^c - c,a^ - a, b^ - 5, - c}. 

After this, x and y have been eliminated, and we have: 

M = p6Va.((a6c + ac^ + b^c - c = 0) A {a^ - a = 0) A {b^ - b = 0) A {c^ - c = 0))j 
= p6Va.(afec + ac^ + b^c-c = 0)1 
= I3b.i^3a3u.{u{abc + ac^ + b'^c-c) -1^ 0))] 



Now we eliminate quantifiers in 3a3u{{abc + ac^ + 6^c — c) ■ u — 1 — 0), again by 
computing the Grobner basis G2 of the ideal 

{{abc + ac^ + b^c - c)u ~l,a^ ~ a, ~b,c^ - c, - u) n F^lb, c]. 

We obtain G2 = {b^-bc,c^-l}. Therefore {ipj = I3b{^{b^-bc = OAc^-l = 0))]. 
(Note that if both b and c are both free variables, 6^ — 6c 7^ V — 1 7^ would 
be the quantifier-free formula containing 6, c that is equivalent to ip.) 

Next, we introduce ui and U2 to eliminate the negations, and v to eliminate 
the disjunction: 

M = I3b3ui3u23v.{{{b'' - bc)ui - l)v = A ((c^ - l)u2)(l - v) = 0)}. 

We now do a final step of computation of the Grobner basis G3 of: 

{{ib^~bc)ui-l)v,{{c^^l)u2)il-'v),b^^b,c^-c, ul~ti,ul~t2,v^ -v)nF3[c]. 

We obtain G3 = {c^ — c}. This gives us the result formula fip} — fc^ — c — 0}, 
which means that c can take any value in ^3 to make the formula true. 

6.2 Analyzing a Biological Controller Design 

We studied a virus competition model named S2VD pTj, which models the 
dynamics of virus competition as a polynomial system over finite fields. The 
authors aimed to design a controller to ensure that one virus prevail in the 
environment. They pointed out that there was no existing method for verifying 
its correctness. The current design is confirmed effective by computer simulation 
and lab experiments for a wide range of initializations. We attempted to establish 
the correctness of the design with formal verification techniques. However, we 
found bugs in the design. 

All the Grobner basis computations in this section are done using scripts in 
the SAGE system [T| , which uses the underlying Singular implementation [51 . All 
the formulas below are solved within 5 seconds on a Linux machine with 2GHz 
CPU and 2GB RAM. They involve around 20 variables over F4, with nonlinear 
polynomials containing multiplicative products of up to 50 terms. 




(a) (b) (c) 



Fig. 1: (a) The ten rings of S2VD; (b) Cell x and its neighbor y cells; (c) The 
counterexample 



The S2VD Model The model consists of a hexagonal grid of cells. Each 
hexagon represents a cell, and each cell has six neighbors. There are four possible 
colors for each cell. A green cell is infected with (the good) Virus G, and a red 
cell is infected with (the bad) Virus R. When the two viruses meet in one cell, 
Virus G captures Virus R and the cell becomes yellow. A cell not infected by 
any virus is white. The dynamics of the system is determined by the interaction 
of the viruses. 

There are ten rings of cells in the model, with a total of 331 cells (Figure 
1(a)). In the initial configuration, the cells in Ring 4 to 10 are set to white, and 
the cells in Ring 1 to 3 can start with arbitrary colors. The aim is to have a 
controller that satisfies the following safety property: The cells in the outermost 
ring are either green or white at all times. The proposed controller detects if any 
cell has been infected by Virus R, and injects cells that are "one or two rings 
away" from it with Virus G. The injected Virus G is used to block the further 
expansion of Virus R. 

Formally, the model is a polynomial system over the finite field = {0, 1, a, a+ 
1}, with each element representing one color: (0, green), {l,red), [a, white), (a + 
1, yellow). The dynamics is given by the function / : F^^^ — F^^^. For each 
cell X, its dynamics f^. is determined by the color of its six neighbors yi,...,ye, 
specified by the nonlinear polynomial —df 7I +727? +fl^(7i +7i +7i)j where 
7i = Y^^=i Hi ^^"i 72 = Si^j ViVj- The designed controller is specified by another 
function g : Ff^^ F^^^: For each cell with yi, ...,?/i8 representing the cells 
in the two rings surrounding it, we define gx =df nl=i(l ~ Vi)^- More details 
can be found in [TT] . 

Applying Quantifier Elimination We first try checking whether the safety 
property itself forms an inductive invariant of the system (which is a strong 
sufficient check). To this end, we check whether the controlled dynamics of the 
system remain inside the invariant on the boundary (Ring 10) of the system. 
Let cc be a cell in Ring 10 and y = (?/i, j/is) be the cells in its immediate 
two rings. We assume the cells outside Ring 10 {ys,---, 2/12, 2/2, ys) are white. See 
Figure 1(b) for the coding of the cells. We need to decide the formula: 

12 

yx{(3y{{/\(y^ = a) A 1/2 = a Ays = a) A Safe(y) A x = F^{y))) ~> x{x - a) = 0) (3) 

i=s ^ " ' 

^ V ' "green/ white" 

where (writing 71 = X^Li y«'72 = J2i^je{i,...,6} V^Vs) 
Safe(y) =d/ (i/i(j/i - a) = A 2/4(1/4 - a) = A 2/7(^/7 - a) = A 2/13(^13 - a) = 0) 

18 

F.iv) =df (7I + 727? + a'(7? + 7? + 71)) • (11(1 - 2/0)' 

i = l 

After quantifier elimination. Formula ^ turns out to be false. In fact, we ob- 
tained = — a; = 0]. Therefore, the safety property itself is not an induc- 
tive invariant of the system. We realized that there is an easy counterexample 



of safety of the proposed controller design: Since the controller is only effective 
when red cells occur, it does not prevent the yellow cells to expand in all the 
cells. Although this is already a bug of the system, it may not conflict with the 
authors' original goal of controlling the red cells. However, a more serious bug 
is found by solving the following formula: 



Vx((3y(/\ y,{y, - a){y, - a^) = 0) A a; = F^y)) ^ ^{x = 1) ) (4) 




Formula (4]) expresses the desirable property that when none of the neighbor cells 
of X is rea^x never becomes red. However, we found again that \^p2\ — — x = 
0], which means in this scenario the x cell can still turn red. Thus, the formal 
model is inconsistent with the informal specification of the system, which says 
that non-red cells can never interact to generate red cells. In fact, the authors 
mentioned that the dynamics Fr^ is not verified because of the combinatorial 
explosion. Finally, to give a counterexample of the design, we solve the formula 



V53 



=df 3i/3a;.(a; = 1 A /\ yi{yi - a){yi - a) = 0^x = F^{y)) (5) 



The formula checks whether there exists a configuration of j/i, ...,?/6 which are 
all non-red, such that x becomes red. (^3 evaluates to true. Further, we obtain 
a; = l,y = (a, a, a, 0, 0, 0) as a witness assignment for 1^93. This serves as the 
counterexample (see Figure 1(c)). 

This example shows how our quantifier elimination procedure provides a 
practical way of verifying and debugging systems over finite fields that were 
previously not amenable to existing formal methods and cannot be approached 
by exhaustive enumeration. 



7 Conclusion 



In this paper, we gave a quantifier elimination algorithm for the first-order the- 
ory over finite fields based on the NuUstellensatz over finite fields and Grobner 
basis computation. We exploited special properties of finite fields and showed 
the correspondence between elimination of quantifiers, projection of varieties, 
and computing elimination ideals. We also generalized the Tseitin transforma- 
tion from Boolean formulas to formulas over finite fields using ideal operations. 
The complexity of our algorithm depends on the complexity of Grobner basis 
computation. In an application of the algorithm, we successfully found bugs in a 
biological controller design, where the original authors expressed that no verifi- 
cation methods were able to handle the system. In future work, we expect to use 
the algorithm to formally analyze more systems with finite field arithmetic. The 
scalability of the method will benefit from further optimizations on Grobner ba- 
sis computation over finite fields. It is also interesting to combine Grobner basis 
methods and other efficient Boolean methods (SAT and QBF solving). See [S] 
for a discussion on how the two methods are complementary to each other. 
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Appendix: Omitted Proofs 



Proof of Lemma 2.1 This is a consequence of the Seidenberg's Lemma (Lemma 
8.13 in [3 ). It can also be directly proved as follows. 

Proof. We need to show J + (ccf — xi, Xn — Xn) — J + {x\ — xi , . . . , a;^ — x„) . 
Since by definition, any ideal is contained in its radical, we only need to prove 

\J J ^" X\^ ...^ Xn Xji) ^ J -\- ix-^ 3^1,..., x'^ Xri) • 

Let R denote Fq[xi, ...,a;„]. Consider an arbitrary polynomial / in the ideal 
a/ J + {x\ — xi, ...,Xn — Xn)- By definition, for some integer s, ^ J + {x\ — 
Xi,...,x'^ — Xn). Let [/] and [J] be the images of, respectively, / and J, in 
R/ {x\ — xi, — Xn) under the canonical homomorphism from Rio R/ {x\ — 
Xi, — Xn). For brevity we write S = {x\ ~ xi, ...,xj^ — x„). 

Now we have [/]" € [J], and we further need [/] G [J]. We prove, by induction 
on the structure of polynomials, that for any [g] e R/S, [g]'' = [g]. 

— If [g] ^ cxl^ • • • a;;^" + S* (c e F„ a, e iV), then 

- (c^r • • • + SY = (cx^ . . . a;;^")^ + 5 = cx?^ • • • x^ + 5 = [.g]- 

— If [g] ~ [/ii] + [/12], by inductive hypothesis, [/ii]'' = [/ii],[/i2]* = [^2], and, 
since any element divisible by p is zero in Fq {q — p^), then 

Hence [g]"^ — [g] for any [g] e i?/>S', without loss of generality we can assume 
s < g in IfY. Then, since [fY G [J], [/] = [/]" = [fY ■ [/]'-^ G [J]. □ 

Proof of Lemma 13. II 

Proof. Let a G pn+m assignment vector for {x,y). 

If a G lALi /. = 01, then f,{a) = ■ ■ ■ ^ fr{a) = and a G A-)). 
If a G /.)), then ALi /.(a) - is true and a G [ALi = 0]. □ 

Proof of Lemma 13.21 

Proof. We show set inclusion in both directions. 

— For any b G I3x(p{x; y)], by definition, there exists a G such that (a, b) 
satisfies ip{x;y). Therefore, (a, b) G |iy9(a;;y)], and b G 7r„(J(/7(a;; y)]). 

— For any 6 G 7r„(J(^(a;; y)]), there exists a G F^' such that (a, b) G I<y5(a;; y)]. 
By definition, b G |3x(p(a;;y)]. □ 



Proof of Lemma 3.3 

Proof. Wc have lA.eA. i^l -x^^O)A A.eA, iv! " 2/^ = 0)1 = TJ, which follows 
from Proposition 2.1. □ 



Proof of Lemma 14.11 

Proof. Let ip[^pi/'4>2] denote substitution of ■i/'i in (p by ^2- Suppose the negative 
atomic formulas in ip are fi ^ 0, fk ^ 0. 

We introduce a new variable zi^ and substitute /i 7^ by p- zi = 1. Since the 
field Fq does not have zero divisors, all the solutions for |/i ^ 0] = |3zi(p- = 
1)] (the Rabinowitsch trick). 

Iterating the procedure, we can use k new variables zi, Zk so that: 

M = Mh ^ 0/(3zi.(p • zi - 1 = 0))] • • • [A ^ 0/(3zfe.(p • zfc - 1 = o))]l 

Since the result formula contains no more negations and the z^s are new variables, 
it can be put into prenex form 3z.{ip[fi ^ 0/(p-Zi — 1 = 0)] • • • [fk 7^ 0/ {p-Zk — 1 = 
0)]). □ 



Proof of Lemma 14.21 

Proof, fipi V ■02] — ^('^i) U V{J2) follows from the definition of realization. We 
only need to show the second equality. Let a — (ai, ...,a„) e be a point. 

- Suppose a G V{Ji) U V{J2). If a G V{Ji), then (1, oi, a„) e V{xoJi + 
(1 — xo) J2). If a e V{J2), then (0, ai, a„) € V^(a;o Ji + (1 — xo)J2)- In both 
cases, a e 7ro(V(a;o'^i + (1 ^ 2;o)'^2))- 

- Suppose a e 7ro(l^(a:;oJi + (1 — 2:0)0/2)). There exists ag g such that 
(oo, ai, a„) e V{xoJi + (1 — xo)J2). If oq ^ {0, 1}, then all the polynomials in 
Ji and J2 need to vanish on a; if oq = 1 then Ji vanishes on a; if oq = then 
J2 vanishes on a. In all cases, a e V^(Ji) U V(J2). □ 



Proof of Theorem 5.1 

Proof. We only need to show the intermediate formulas obtained in Step 1-3 are 
always equivalent to the original formula ip. In Step 1, the formula is flattened 
with ideal operations, which preserve the realization of the formula as proved in 



Theorem 4.1 In Step 2, we have (by Theorem 3.2) pa;,„3t3s(A;^i(/i = 
IAr=i(5. = 0)l. 

Hence the formula obtained in Step 2 is equivalent to tp. In Step 3, the 
substitution preserves realization of the formula because 

U U U Vi 

lA Va;™-i(5. - 0)1 - l/\(-3a;„_i(-5, - 0))1 = l( f\{\J h,, ^ 0))1, 

i—l i—1 i—1 j — 1 

where the second equality is guaranteed by Theorem |3.2| again. 

The loop terminates either at the end of Step 2 or Step 3. Hence the output 
quantifier-free formula ip is always in conjunctive normal form, which contains 
only variables y, and is equivalent to the original formula ip. □ 



